Sunday, October 14, 2012

CSR's USB programmer protocol analysis

In this post I will give you some info about protocol used between BlueSuite tools and USB programmer. With this info you will be able to create partially compatible programmer or make a program which can use CSR's programmer.

If you want to learn the protocol, please read on.

Thursday, October 11, 2012

Dumping BlueCore4 firmware on Linux

After a month or two of reverse engeneering BlueSuite tools and USB programmer I finally succeeded in creating simple program for dumping firmware. A lot of clues also came out from partial BlueSuite source code released by CSR. So, in short, the process of dumping is next:

  • Stop and reset processor
  • Upload helper program in RAM of BlueCore processor
  • Check the size of the flash memory
  • Download firmware page by page
  • Check data integrity by checking CRC code of every page
  • Reset and run processor

The most interesting part of this process is helper program, which does the most heavy lifting. It's responsible for reading/writing flash memory, calculating CRC code, providing info about flash memory etc. Interestingly enough, this program, along with some useful info, can be found in boot_prog_flash_bc.h file from BlueSuite source code.

If you want to use my program, you must first build USB programmer described in previous post (or buy it if you can afford). For now, this is the only supported programmer because I don't currently own any decent computer with LPT port. If anyone is interested in helping me on that or any other part, please contact me.
For now, the only dependency is libusb1.0. In Ubuntu you can install it by typing:

sudo apt-get install libusb-1.0-0-dev

Then download source code from here. Primarily I use QtCreator for developing this program, but if you don't want to install it, you can use following command to build the program:

g++ main.cpp usbdriver.cpp usbprogrammer.cpp stopwatch.cpp devicemanager.cpp flash.cpp -lusb-1.0 -o CsrUsbProg

When you finally have all things connected and compiled, you can run the program by typing:

./CsrUsbProg dump firmware.xuv

Probably you will get error message saying that the program can't connect to programmer. The problem is in USB access permissions. Quick and temporal solution would be running the program as root. Second, more permanent solution, would be adding an udev rule to set permissions. This could be achived with following commands:

sudo su
echo "SUBSYSTEM==\"usb\", ACTION==\"add\", ATTR{idVendor}==\"0a12\", ATTR{idProduct}==\"0042\", GROUP=\"usbuser\"" > /etc/udev/rules.d/10-CsrProg.rules
udevadm control --reload-rules
exit


After that, you must re-plug programmer, create group with name "usbuser" and add yourself to it. You could do that with typing:

sudo groupadd usbuser
newgrp usbuser


Now you should finally get firmware image in XUV format, which is also supported in BlueSuite tools. Actually it is just XDV and XPV file combined together. Remember, this is only proof of concept program and it is not meant to be used for real work. A lot of error handling code is missing, among other things. Standard disclaimer applies.

Maybe if we really nicely ask CSR, they could provide us with Linux version of BlueSuite tools and I wouldn't need to develop this program anymore. Based on a lot of Linux specific code in BlueSuite source code, I think they probably already have a Linux version.

Monday, October 8, 2012

USB programmer for CSR Bluetooth chips

After a lot of search through the web, I couldn't find any home-made or cheap CSR USB programmer, so I became eager to find a way how to make it myself. I've logged on csrsupport.com and started digging. Soon enough I found firmware update for theirs official USB programmer. I tought I could use it in some way to made my own programmer and my predictions were correct. In the rest of this post, you could read how to make it yourself.

DISCLAIMER: I'm not responsible for anything that might happen to you or your equipment if you follow this tutorial. I also can't guarantie that method described below will work for you. I do not own firmware and I won't host it anywhere. If you want it, create account and download it from csrsupport.com!

First, you should buy some BlueCore3-Multimedia External bluetooth modules (yes, they use their own chip for USB programmer). These modules are a little harder to get nowadays, but I managed to order a few from stalmart.com. In the mean time, when you are waiting to get your modules, I strongly suggest that you get familiar with stuff on Byron's blog and make a LPT programmer cable which is described on that page. You don't really need to make the case with pogopins, but it won't hurt. Unfortunately, you can't make USB version of programmer if you don't have a LPT version first (chicken and egg problem). Now, when you have all main components, it's time to make a breakout board. Here you can find Eagle files and partlist for my board. If you use it, please make sure that the module layout is same as yours. If you don't know how to etch and/or solder, get some help from someone who knows or study tutorials on net. Here is pinout of my board:


Breakout board pinout

After you finished your hardware, it's time to go to the software part of tutorial. I assume you are familiar with the process of dumping/flashing firmware and setting pskeys. If you aren't, please read excellent tutorial how to do that on Byron's blog. First connect the board to USB port and LPT programmer. Then make sure that your module have at least loader already flashed on. To check this, fire up BlueFlash and click "Firmware ID". If it says something like "bc3k_8unified_fl_bt2.0_22_0702091828_encr56 2007-02-09" then it is OK. Otherwise a loader should be flashed first. You can get mine here.

Firmware ID check

Now the following pskey must be set:

PSKEY_HOST_INTERFACE_PIO_USB (friendly name: USB host interface selection PIO line) to value 0x0009

This pskey is a little trick which I use to make USB connection work. Some (or most?) loaders don't want to connect to the PC via USB even if they are configured via pskeys to do so. I don't know why is that so, maybe I'm missing something but for now this workaround works perfectly. Connect the PIO9 pin to Vcc. Re-plug USB and voilà! Download firmware upgrade file from here (USB-SPI Converter section) and flash it with DFUWizard (from BlueSuite). Now you should get message that a new device has been found (otherwise just re-plug USB). Driver should be installed automatically. If not, it could be installed manually from BlueSuite folder. Congratulations, now you have fully working USB SPI programmer for CSR's chips!

This programmer supports whole line of products from CSR, not only BlueCore family. It also support JTAG interface but I didn't bother to identify pins used, because I don't own any CSR's device which could be programmed through JTAG.

How to connect your new USB programmer to other modules:
  • PIO0 -> CSB
  • PIO1 -> MISO
  • PIO2 -> MOSI
  • PIO3 -> CLK
  • GND -> GND (in case you forgot)
And a proof from my computer which runs Windows 7 64-bit (it's localized but you'll understand):

USB SPI programmer check

In the next article I'll write about reverse engineering effort to write Linux application for dumping and flashing BlueCore4-Ext devices (dumping already works :)).

EDIT:
For those who have problems with programmer: Take a look at pskeys taken from working programmer here. Make a full dump of yours pskeys before you make any change. Don't change any trim or other calibration value. It will make things worse.